|
|
@@ -70,6 +70,7 @@ public:
|
|
|
const pb_variable<FieldT> &addG,
|
|
|
const pb_variable<FieldT> &addH) :
|
|
|
gadget<FieldT>(pb, "ec_add_GH_gadget"),
|
|
|
+ // The coordinates of G, H, and G+H
|
|
|
Gx(0),
|
|
|
Gy("11977228949870389393715360594190192321220966033310912010610740966317727761886"),
|
|
|
Hx(1),
|
|
|
@@ -94,12 +95,9 @@ public:
|
|
|
// are a _linear_ function of addG and addH (since G and H are global
|
|
|
// constants)
|
|
|
|
|
|
- // In particular:
|
|
|
- // G = (0, 11977228949870389393715360594190192321220966033310912010610740966317727761886)
|
|
|
- // H = (1, 21803877843449984883423225223478944275188924769286999517937427649571474907279)
|
|
|
- // G+H = (2864090850787705444524344020850508438903451433901276387624248428140647539638, 3350168998338968221269367365107720885864670493693161027931048546881356285970)
|
|
|
- // so the point to add is ( (GHx - Hx) * addG + (GHx - Gx) * addH + (Gx + Hx - GHx), (GHy - Hy) * addG + (GHy - Gy) * addH + (Gy + Hy - GHy))
|
|
|
- // = (2864090850787705444524344020850508438903451433901276387624248428140647539637 * addG + 2864090850787705444524344020850508438903451433901276387624248428140647539638 * addH - 2864090850787705444524344020850508438903451433901276387624248428140647539637, -18453708845111016662153857858371223389324254275593838490006379102690118621309 * addG - 8627059951531421172445993229082471435356295539617750982679692419436371475916 * addH + 30430937794981406055869218452561415710545220308904750500617120069007846383195)
|
|
|
+ // In particular, the point to add is ( (GHx - Hx) * addG + (GHx -
|
|
|
+ // Gx) * addH + (Gx + Hx - GHx), (GHy - Hy) * addG + (GHy - Gy) *
|
|
|
+ // addH + (Gy + Hy - GHy))
|
|
|
|
|
|
// (addx - inx) * lambda = addy - iny
|
|
|
this->pb.add_r1cs_constraint(r1cs_constraint<FieldT>((GHx - Hx) * addG + (GHx - Gx) * addH + (Gx + Hx - GHx) - inx, lambda, (GHy - Hy) * addG + (GHy - Gy) * addH + (Gy + Hy - GHy) - iny));
|
|
|
@@ -158,6 +156,7 @@ private:
|
|
|
void compute_m2nC(FieldT &m2nCx, FieldT &m2nCy, size_t n)
|
|
|
{
|
|
|
if (n == 253) {
|
|
|
+ // Precomputed coordinates of -2^253*C
|
|
|
m2nCx = FieldT("2630025903576807331238993847875694711243784786568881628418508626984487096258");
|
|
|
m2nCy = FieldT("17628834417659968531880949658739649785248429713924280788649629869316127047701");
|
|
|
} else {
|
|
|
@@ -189,6 +188,7 @@ public:
|
|
|
const pb_variable_array<FieldT> &avec,
|
|
|
const pb_variable_array<FieldT> &bvec) :
|
|
|
gadget<FieldT>(pb, "ec_pedersen_vec_gadget"),
|
|
|
+ // Precomputed coordinates of C, C+G, C+H, and C+G+H
|
|
|
Cx(2),
|
|
|
Cy("4950745124018817972378217179409499695353526031437053848725554590521829916331"),
|
|
|
CGx("4998993376791159436553350546778310121346937620672073819457843493128326049156"),
|
|
|
@@ -236,8 +236,9 @@ public:
|
|
|
// C is unknown means we won't encounter O along the way, either (if
|
|
|
// we did, we could compute the DL of C in the (G,H) basis).
|
|
|
|
|
|
- // For the first bit, we just precompute C, C+G, C+H, C+G+H and use
|
|
|
- // the top bit of a and b to choose which one to start with.
|
|
|
+ // For the first bit, we just precompute C, C+G, C+H, C+G+H (the
|
|
|
+ // values are above) and use the top bit of a and b to choose which
|
|
|
+ // one to start with.
|
|
|
|
|
|
// accumx[0] = Cx + (CGx - Cx) * avec[numbits-1] + (CHx - Cx) *
|
|
|
// bvec[numbits-1] + (CGHx - CGx - CHx + Cx) *
|
